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Abstract 

We present simple protocols for oblivious transfer and password-based identification which 
are secure against general attacks in the noisy-quantum-storage model as defined in [KWW09 . 
We argue that a technical tool from [KWW09 suffices to prove security of the known protocols. 
Whereas the more involved protocol for oblivious transfer from |KWW09] requires less noise 
in storage to achieve security, our "canonical" protocols have the advantage of being simpler 
to implement and the security error is easier control. Therefore, our protocols yield higher 
OT-rates for many realistic noise parameters. 

Furthermore, the first proof of security of a direct protocol for password-based identification 
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^-i against general noisy-quantum-storage attacks is given. 

(N 

^ ■ 1 Introduction 

Throughout history, a main goal of cryptography has been to provide secure communication over 
insecure channels. In today's internet-driven society however, more advanced tasks arise: people 
need to do business and interact with peers they neither know nor trust. A simple example is secure 
identification: Users Alice and Bob share a password P and when setting up a communication, 
Alice wants to make sure she is really interacting with Bob — the only other person who knows 
P. Simply announcing P is insecure, as any eavesdropper can intercept P and use it later to 
impersonate Bob. We need a method to check whether two parties are in possession of the same 
password, but without revealing any additional information. 

Secure identification is a special case of the more general problem of secure two-party computa- 
tion: Alice and Bob want to perform a computation on private inputs in a way that they obtain the 
correct result but no additional information about their inputs is revealed. An interesting example 
are sealed-bit auctions where the winner should be determined without opening the losing bids. 
Closer to everyday life, almost any interaction with an Automated Teller Machine (ATM) can be 
seen as an instance of secure two-party computation. 

The techniques used in modern classical cryptography to secure communication and provide 
secure two-party computation are based on unproven mathematical assumptions such as the hard- 
ness of finding the prime factors of large integer numbers (for example in the widely used RSA 
scheme [RSA78J). We do not know any practical schemes which are provably infeasible to break 
and it is unlikely that the currently known mathematical techniques allow for such a scheme. In 
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contrast, quantum cryptography, which is based on transmitting information stored in the state of 
single elementary particles, offers schemes with provable security. 

The most prominent example is Quantum Key Distribution (QKD) which allows two honest 
parties to securely communicate. In 1984, Bennett and Brassard proposed a QKD protocol [BB84J 
which was proven unconditionally secure |May95, Yao95, SPOCl. In other words, security does 



not rely on any unproven assumptions but holds against any eavesdropper Eve with unbounded 
(quantum) computing power. Such provably secure key-distribution schemes cannot be achieved 
by any classical means (without additional assumptions). It is important to realize that the tech- 
nical requirements for honest parties to perform QKD protocols are well within reach of current 
technology. As of today, the technology has even reached commercial level: At least three different 
companies are selling hardware for QKD [SmaJ idQ , |Mag|. 



After the discovery of QKD, researchers thought it was possible to use quantum communica- 
tion to implement more advanced cryptographic primitives such as secure two-party computation. 
However, it was shown in the late 90s that essentially no cryptographic two-party primitives can 
be realized if only a quantum channel is available and no further restriction on the adversary is 
assumed |May97[ ILC971 ILo97| . In other words, secure two-party computation is more difficult to 
achieve than key distribution. This is not completely surprising given the generality of secure two- 
party computation. Nevertheless, quantum cryptography might still help to achieve significantly 
better schemes than purely classical constructions. 

Indeed, in joint work with Damgard, Fehr and Salvail, we proposed in 2005 a new realistic 
assumption for quantum protocols under which provably secure two-party computation becomes 
possible [DFSS05J. The basic idea is to exploit the technical difficulty of storing quantum infor- 
mation. In this bounded- quantum- storage model, security holds based on the sole assumption that 
the parties' quantum memory during the execution of the protocol is upper bounded. No further 
restrictions on the (quantum) computing power nor the classical memory size are assumed. Storing 
quantum information requires to keep the state of very small physical systems such as single atoms 
or photons under stable conditions over a long time. Building a reliable quantum memory is a major 
research goal in experimental quantum physics [.TSC + 04[ ICM.T+05l IeAM + 05[ ICDLKOSl lAFK+08] . 



Despite these efforts, current technology only allows storage times of at most a few milliseconds. 

Even though breaking the security of our protocols requires a large quantum memory with 
long storage times, neither quantum memory nor the ability to perform quantum computations 
are needed to actually run the protocols; the technological requirements for honest parties are 
comparable to QKD and hence well within reach of current technology. Therefore, cryptographic 
schemes based on storage imperfections provide potentially very useful solutions for secure two- 
party computation with the advantage of much stronger security guarantees compared to classical 
technology. 



1.1 Bounded- versus Noisy-Quantum-Storage Model 

In the bounded-quantum-storage model, we assume that a dishonest receiver can perfectly store 
the incoming photons and perform perfect quantum operations under the sole restriction that at 
a certain point of the protocol, the size of his quantum memory is limited to a constant fraction 
of the total number of received photons. Bounding the size of the adversary's quantum storage in 
this way is a handy assumption to work with in security proofs. In a series of works over the last 
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years [DFSS051 lDFR+071 IDFSS071 ISch07l IDFSS081 IDFSSlOj . it has been shown that any type of 



secure two-party computation is possible in the bounded-quantum-storage model. 

On the other hand, simply limiting the adversary's quantum memory size does not capture 
correctly the difficulty one currently faces when trying to store photons. A better formalization 
of this difficulty is to assume that the dishonest receiver uses the best available (but still imper- 
fect) photon-storage device. The imperfection of the storage-device is modeled as noisy quantum 
channel where the noise level of the channel increases with the amount of time during which the 
quantum information needs to be stored. With current technology, the noise reaches maximum 
level (i.e. the quantum information is completely lost) if a storage time in the order of milliseconds 
is required [JSC + 04| . 

First results in this noisy- quantum- storage model have been established in joint work with 
Terhal and Wehner [WST08, STW09]. Assuming "individual-storage attacks" — where the adver- 
sary treats all incoming qubits in the same way — the security of oblivious transfer and password- 
based identification was established using the original protocols from the bounded-quantum-storage 
model [DFR+071 IDFSS10] . 



The most general storage attacks were first mentioned in [Sch07] . but addressed only recently 
by Konig, Wehner and Wullschleger [KWW0 9] . In this most general model, the adversary can 
for example try to use a quantum error-correcting code in order to protect himself from storage 
errors. Concretely, he is allowed to first perform an arbitrary perfect "encoding attack" on the 
incoming quantum state, then he uses his (noisy) quantum-storage device together with unlimited 
classical memory and finally, he can again perform perfect quantum computations^ The authors 
of [KWW09] show how the security of protocols in this general model can be related to the maximal 
rate of classical information that can be transmitted over the noisy storage channel. 

In more detail, [KWW09] introduces the conceptual novelty of splitting the security analysis of 
protocols for oblivious transfer and bit commitment in two phases. In the first phase, the players 
use the well-known BB84 quantum coding scheme to achieve a (quantum) primitive which the 
authors call weak string erasure. At the end of this phase, the sender has a classical n-bit string X 
and the receiver holds an "erased version" of the string where a uniformly random half of the bits 
of X have been erased. Note that this primitive is only classical for honest players, as a dishonest 
receiver might hold quantum information about the sender's classical output string. 

For the second (purely classical) phase, they propose classical reductions to build bit commit- 
ment and oblivious transfer based on weak string erasure. Their approach to realize oblivious 
transfer is quite involved. It uses interactive hashing [Sav07], for which the standard classical 
protocol requires a lot of communication rounds |NOVY98pl The analysis is complicated by the 



fact that the dishonest receiver holds quantum information, but can be handled by techniques of 
min-entropy sampling developed by Konig and Renner |KR07] . It was left as open question how 
to build password-based identification based on weak string erasure or in general, secure against 
noisy-quantum-storage attacks. 



1 A detailed description of the model of [KWW09] will be given in Section O see also Figured] 
2 A constant-round variant of interactive hashing has been proposed in DHRS04 . However, it is unclear how 
the weaker security guarantees affect the security proof in KWW09 . The use of 7/-almost t-wise independent 
permutations might render this variant "prohibitively complicated to implement in practice" [Sav07] . 
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Table 1: Summary of previous results in the noisy-quantum-storage model and the results presented 
here. 

1.2 Our Results and Outline of the Paper 

The main contribution of this paper is the insight that the new technical tool derived in |KWW 09j 
already suffices to prove secure the original protocols from the bounded-quantum-storage model for 
bit commitment, oblivious transfer |DFR + 07| and password-based identification |DFSS07llDFSS10] , 
These original protocols have the advantage that the classical post-processing is extremely simpel. 
No communication-intensive protocols such as interactive hashing are needed. 

Comparing the protocol for oblivious transfer from [KWW09] with our protocol, it turns out 
that the highly interactive protocol [KWW09J can in theory be shown secure for less noisy quantum- 
storage channels if infinitely many pulses are available, i.e., security holds against a larger class 
of adversarial receivers. However, the original protocols with the simpler analysis presented here 
outperform the ones from [KWW 09] in terms of the security error. Thus, for a fixed number of 
pulses and a given security threshold, the simpler protocols and our analysis yield oblivious transfer 
of longer bit-strings most of the time. 

We show for the first time the security against general noisy-storage attacks of a direct protocol 
for password-based identification, answering an open question posed in [KWW 09 . 

From a theoretical point of view, our insight shows that despite the generality of the noisy- 
quantum-storage model, having the right tools from [DFR + 07l [KWW09] at hand, the protocols 
and security proofs do not need to be much more complicated than in the conceptually simpler 
bounded-quantum-storage model. 

1.3 Outline of the Paper 

In Section [21 we define concepts and notation and elaborate on the essential tool of min-entropy 
splitting in Section [2T3l We present the noisy-quantum-storage and the key ingredient from [KWW09] 
in Section El Sections [H [5] and contain the security analyses for oblivious transfer and password- 
based identification. 

2 Preliminaries 

We start by introducing the necessary definitions, tools and technical lemmas that we need in the 
remainder of this text. 

2.1 Basic Concepts 

We use £r to denote the uniform choice of an element from a set. We further use x\x to denote the 
string x = x%, . . . , x n restricted to the bits indexed by the set IC {1, . . . , n}. For a binary random 
variable C, we denote by C the bit different from C. 



4 



Classical-Quantum States A cq-state pxE is a state that is partly classical, partly quantum, 
and can be written as 

Pxe = p x(x)\x){x\ ® p% . 

Here, X is a classical random variable distributed over the finite set X according to distribution 
Px-i {\ x )}x<ex is a set of orthonormal states and the register E is in state p x E when X takes on value 
x. 



Conditional Independence. We also need to express that a random variable X is (close to) 
independent of a quantum state E when given a random variable Y. This means that when given 
Y, the state E gives no additional information on X. Formally, this is expressed by requiring that 
Pxye equals (or is close to) px^-Y^-E, which is defined a^l 



Px^y^e 



Pxy(x,u)\x)(x\ <g> 



Pi 



(1) 



In other words, pxye = Px^y^e precisely if p x E ,v = p v E for all x and y. To further illustrate its 
meaning, notice that if the ^-register is measured and value y is obtained, then the state px^Y^E 
collapses to (%2 X Px\y{ x \v)\ x ){ x \) ® p\-, so that indeed no further information on x can be obtained 
from the ^-register. This notation naturally extends to Px*±Y^E\E simply by considering Pxye\s 
instead of p X YE- Explicitly, p x ^Y^E\s = J2 x ,y P XY\s( x , v)\ x )( x \ ® \v)(v\ ® P E \ S - 



Non-uniformity We can say that a quantum adversary has little information about X if the 
distribution Px given his quantum state is close to uniform. Formally, this distance is quantified 
by the non-uniformity of X given pe = J2 X p x{ x )p% denned as 



d{X\E) :-- 



1/1*1 



PE 



P X { X )\ X )( X \® p X E 



(2) 



Intuitively, d(X\E) < e means that the distribution of X is e-close to uniform even given pe, i.e., 
p E gives hardly any information about X. A simple property of the non- uniformity which follows 
from its definition is that it does not change given independent information. Formally, 



d(X\E,D) =d(X\E) (3) 
for any cqq-state of the form pxED = PXE ® PD- 



2.2 Entropic Quantities 

Throughout this paper we use a number of entropic quantities. The binary- entropy function is 
defined as h(p) ■= —plogp— (1 — p) log(l — p), where log denotes the logarithm to base 2 throughout 
this paper. 

3 The notation is inspired by the classical setting where the corresponding independence of X and Z given Y can 
be expressed by saying that X <-¥ Y f-> Z forms a Markov chain. 
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2.2.1 (Conditional) Smooth Min-Entropy 



We are concerned with the situation where an attacker holds quantum information in register E 
about a classical variable X, described by a classical- quantum state (cq-state) of the form 



Pxe = ^2Px(x)\x)(x\ <8>p|. 



We define the guessing probability of X given E as the success probability of the best measurement 
carried out on E in order to guess X, 

Pgucss (X\E) := max V P x (x)TV(M a; p|) , 

{M x }^ 

x 

where the maximisation is over all POVMs {M x } acting on register E. The conditional min-entropy 
of X given E is defined as H m i n (X\E) := — logp gucss (X\E). 

In case the adversary's information E is described by a classical variable Y, one can show that 
the guessing probibility becomes 

P g ucss{X\Y) := ^Py(y)maxP X |y(x|y) = ^maxP^y^,!/) • 

y y 

More generally, we define H m - m (X£\Y) for any event £ as H m i n (X£|F) := — log (pguessP^I^)) 
whercl 

Pgaess (X£\Y) :=^P Y (y) max Px£\y{ x \u) = ^ max Pxye {x, y) ■ 
y y 

The conditional smooth min-entropy H^ in (X|Y) is then defined as 

tt £ min (X\Y) :=rnaxH min (X£|F) 

where the max is over all events £ with P[£] > 1 — e. 

Obviously, the unconditional versions of smooth and non-smooth min-entropy are obtained by 
using a constant Y. Furthermore, conditional smooth min-entropy can also be defined for quantum 
side information, we refer to jRen051 KWW09J for the formal definitions. 

In this paper, we will use the fact that smooth min-entropy obeys the chain rule |Ren05|, 
Theorem 3.2.12], i.e. for a ccq-state pxye, we have 

R £ min (X\YE) > B E min (X\E) - log \y\ , (4) 

where \y\ is the alphabet size of Y. 



2.3 Min-Entropy Splitting 

The key ingredients for the security proofs of both the 1-2 OT and the secure identification schemes 
in |DFR + 07| IDFSS07] are uncertainty relations and variants of the min-entropy splitting lemma. In 
this section, we present an overview over the variants known and derived for the bounded-quantum- 
storage model and point out how they can be applied in the noisy-quantum-storage model. 

4 p gU ess(X£\Y) can be understood as the optimal probability in guessing X and have £ occur, when given Y. 
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If the joint entropy of two random variables Xq and X\ is large, then one is tempted to conclude 
that at least one of Xq and X\ must still have large entropy, e.g. half of the original entropy. Whereas 
such a reasoning is correct for Shannon entropy (it follows easily from the chain rule and the fact 
that conditioning does not increase the entropy), it is in general incorrect for min-entropy. There 
exist joint probability distributions Px x 1 for which guessing Xq and X\ individually is easy, but 
guessing Xq and X\ simultaneously is hard. Intuitively, for these distributions, guessing the value 
Xi with the highest probability is easy, because the probabilities over the other variable X\_i are 
uniform, but still sum up to a significant mass. 

However, the following basic version of the min-entropy splitting lemma, which first appeared 
in a preliminary version of [Wul07| and was later developed further in the context of randomness 
extraction [KR07], shows that the intuition about splitting the min-entropy is correct in a ran- 
domized sense. This lemma (with a slightly different notion of min-entropy) is used in the security 
proof of the 1-2 OT scheme in |DFR+07| . 

Lemma 2.1 (Min-Entropy-Splitting Lemma [DFR +07) ) Let e > 0, and let Xq,X\ and Z be 
random variables with H^ nin (XoXi|Z) > a. Then, there exists a random variable D £ {0,1} such 
that 

R £ mia (X D \DZ)> a/2-1. 
Proof. Let 6 be an event such that P[£ ] > 1 — e and 

Vp z (z) • maxP X()Xl£ -| Z (x ,xi|2!) < 2~ a . (5) 

XQjXl 

z 

By assumption, such an events existH For a given z, we define D to be if and only if P X() \z{Xq\z) < 
2~ a l 2 . Then, 



P z (z) ■ms3tP Xo D£\z{xoM z ) < /~2 p z(z) • maxP XoD | Z (x ,0|z) 

Xq Xq 

(6) 

= J2Pz(z)-max.P Xo \ z (x \z)P mXoZ (0\x ,z) < 2" a/2 , 

z 

because either P Xq \ z {xq\z) < 2~ a l 2 or Pd\x z(Q\ x o> z ) = by definition of D. On the other hand, 
we have 

^P z {z) ■ rrmxP XlDg \ z (xi, l\z) = ^P z (z) ■ max^ Px x 1 ds\z{xq, x u 1\z) 

z z x ^ 

< 2 a / 2 TPz(z) ■m a xP XoXl£lz (xQ,x 1 \z) < 2~ a / 2 , 

z 

where the last inequality follows from the assumption ([5]) and the first is a consequence of the 
fact that the number of non-zero summands (in the sum over xq) cannot be larger than 2 a / 2 , 
because for any xq with Px x 1 D\z( x o^ x i^\ z ) > 0> it & l so holds (by the definition of D) that 
Px \z( x o\ z ) ^ 2~ a l 2 and the sum over all those xo would exceed 1 if there were more than 2 a / 2 
summands. 



5 In case e — 0, i.e., a lower bounds the ordinary (rather then the smooth) min-entropy, the £ is the events "that 
always occurs" and can be ignored from the rest of the analysis. 
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Combining © and ((7J), we conclude that 



Pguess (X D £\DZ) = J2J2 Pz ^ m ^ P ^n£\z{xd,d\z) <2-2' a ' 2 . 

d 2 

The claim now follows by definition of H^. □ 



In order to prove the security of the identification scheme (see Section [6]) , a more refined version 
of the min-entropy splitting lemma was derived in [DFSS10]. We reproduce it here for convenience. 

Lemma 2.2 (Entropy-Splitting Lemma [DFSS10]) Let e > 0. Let X\, . . . , X m and Z be ran- 
dom variables such that H^ nin (XjXj \Z) > a for all i 7^ j. Then there exists a random variable V over 
{1, . . . , m} such that for any independent random variable W over {1, . . . , m} with H m i n (W) > 1, 

R 2 ^(X W \VWZ,V^W) > a/2 - log(m) - 1 . 

Proof. For any pair i ^ j let £ij be an event such that P[£m] > 1 — £ and 

£ Pz{z) ■ w*xP XiX .e ij \z{xi,Xj\z) < (8) 

z 

for all Xi G Xi, Xj G Xj and z G Z. By assumption, such events existjf] For any j = 1, . . . , m — 1 
define 

= {(a*, ...,i miZ ): F^zfril*), • • . ,P Xj ^\z{pj-x\z) < ^ A p x s \z(xj\z) > 2~ a / 2 } 

Informally, Lj consists of the tuples {x\, . . . , x m , z), where Xj has "large" probability given z whereas 
all previous entries have small probabilities. We define V as follows. We let V be the index 
j G {1, . . . ,m — 1} such that (X\, . . . , X m , Z) G Lj, and in case there is no such j we let V be m. 
Note that if there does exist such an j then it is unique. 

We need to show that this V satisfies the claim. Fix j G {1, . . . , m}. Clearly, for i < j, 

^P z {z) •m3x.P Xi v£ ij \z{xi,3\z) < ^P z {z) ■ max P XiV \ z (xi,j\z) 

Xi Xi 

(9) 

= J2 P z( z ) ■ ^Px % \z^i\z)Py\ XlZ {3\^z) < 2- Q / 2 . 

z 

Indeed, either P x .\ z {xi\z) < 2~ a l 2 or Pv\XiZ{j\ x ii z ) = by definition of V. Consider now i > j. 
Note that 



J2Pz{z) ■ maxP x . V£ij \ z (xi,j\z) = S^P z {z) • m3xY^P x . x . VSij \z{xi,Xj,j\z) 

Xi Xi 

(10) 

< 2 a ' 2 V P z (z) ■ m.^P XiX . Sij \z{xi, Xj \z) < 2- a ' 2 , 



6 In case e = 0, i.e., a lower bounds the ordinary (rather then the smooth) min-entropy, the £ij are the events 
"that always occur" and can be ignored from the rest of the analysis. 
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where the last inequality follows from the assumption ([8]) and the first is a consequence of the fact 
that the number of non-zero summands (in the sum over Xj) cannot be larger than 2 Q//2 , because 
for any Xj with Px l x j V£ lj \z( x i,Xj,j\z) > O7 it also holds that P Xj \z{ x j\ z ) > 2~ Q / 2 and the sum 
over all those xj would exceed 1 if there were more than 2 Q / 2 summands. Note that per-se, £ij is 
only defined in the probability space given by Xj, Xj and Z, but it can be naturally extended to 
the probability space given by X\, . . . , X n , Z, V by assuming it to be independent of anything else 
when given Xi,Xj,Z, so that e.g. PxiV£ tJ \z 1S indeed well-defined. 

Consider now an independent random variable W with H m j n (Ty) > 1. By the assumptions on W 
it holds that P[V^W] > \ and Px w vwz( x i,j, i, z) = Px,vwz(xi, j,i, z) = P Xl vz(xi, j, z)P w (i). 
In the probability space determined by the random variables X%, . . . , X n ,V, W,Z and all of the 
events define the event £ as £ := £ W V, so that Px w vw£\z(xi, j,i\z) = PxiVW£ i:j \z(xi,j,i\z) = 
PxiV£ i:j \z{xi,j\z)P w {i). Note that 

P[£] = Y J Pvws wv ti,i) = zZ P veJi) p w(i) < £)P[Sy]iV(*) < me 

i,j i,j id 

and thus P[£\V^W] < P[£]/P[V^W] < 2me. From the above, it follows that 

p gU ess(.X w ,£\VWZ,V ^ W) = ^ max P XwVW zs^wix J, i,z) < 2 ^ ma^P Xw vwze{x,j,i, z) 

z,i,j z,tyj 

= 2 Y1 Pz ^ ' m & xP XwVW£\z(x,j,i\z) = 2 p z(z) ■ umx.P Xi ve ii \z(^iJ\x) • Pw(i) 
= 2Y,Pw(i)^2 Z ^Pz(z) ■ msxP XiVSi lz ( Xi ,j\z) < 2m ■ 2~ a l 2 , 

l j^i z 

where we used © and ()10p in the last inequality. The claim now follows by definition of Hj nin . □ 



2.4 Quantum Uncertainty Relation. 

At th e very core of our security proofs lies (a special case of) the quantum uncertainty relation 
from [DFR+07pL that lower bounds the (smooth) min-entropy of the outcome when measuring an 
arbitrary n-qubit state in a random basis 9 £ {0, l} n . 

Theorem 2.3 (Uncertainty Relation [DFR+07]) Let E be an arbitrary fixed n-qubit state. 
Let be uniformly distributed over {+, x}" (independent of E), and let X £ {0, l} n be the random 
variable for the outcome of measuring E in basis 0. Then, for any 5 > 0, the conditional smooth 
min-entropy is lower bounded by 



Knn(X\e)>(^-25) 

with e < 2~ a ^ n and 



n 



5 2 log(e) 
a{6) = 32(2 - logffl) 2 ■ 



7 In [DFR+07] , a stricter notion of conditional smooth min-entropy was used, which in particular implies the bound 
as stated here. 
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2.5 Privacy Amplification 

We will make use of two-universal hash functions. A class T of functions / : {0, l} n — > {0, 1} 
is called two-universal, if for all x ^ y G {0,1}", we have Prj gi? jr[/(x) = /(?/)] < 2~ e [CW79J. 
The following theorem expresses how the application of hash functions increases the privacy of a 
random variable X given a quantum adversary holding pg, the function F and a classical random 
variable U: 



Theorem 2.4 ([Ren05|, DFR + 07]) Let T be a class of two-universal hash functions from {0, 1}™ 
to {0, 1}^. Let F be a random variable that is uniformly and independently distributed over T , and 
let pxuE be a ccq-state. Then, for any e > 0, 

d(F(X)\F, U, E) < 2 -^n(x\UE)-e)-i + £ 



3 The Noisy-Quantum-Storage Model 

The noisy- quantum- storage model has been established in [WST081 ISTW 09] for the special case 
where the dishonest receiver is limited to so-called "individual-storage attacks" , i.e. he treats every 
incoming pulse independently (akin to individual attacks in QKD). 

The most general setting considered here is exactly the one described in detail in [KWW09, 
Sections 1.3 and 3.3], see Figure [T] for an illustration. The cheating receiver is computationally un- 
bounded, has unlimited classical storage and can perform perfect quantum operations. If the 
protocol instructs parties to wait for time At, a dishonest player has to discard all quantum 
information, except for what he can encode arbitrarily into his (noisy) quantum storage. This 
storing process is formally described by a completely positive and trace-preserving (CPTP) map 

As in [KWW09] . let 

PLc(n) ■= max JL £ Tr(D x T(p x )) (12) 

be the maximal success probability of correctly decoding a randomly chosen n-bit string x € {0, l} n 
sent over the quantum channel J 7 . Here, the maximum is over families of code states {px} x e{o,i} ri 
on Wi n and decoding POVMs {Ar} ;E e{o,i} n on H ut- 

Intuitively, if the quantum channel J- does not allow to transmit enough classical information 
over it, we should be able to prove security against a dishonest Bob with such a storage channel. 
Indeed, the following two lemmas from [KWW09 formalize this intuition and are the key ingredients 
to connect the security of protocols in the noisy-storage model for such channels with their ability 
to transmit classical information. 

Lemma 3.1 ([KWW09]) Consider an arbitrary cq-state pxQ and a CPTP map T : B(Hq) — > 
B(U out ). Then, B mia (X\T(Q)) > - log Pf ucc ([U min (X) \) . 

Lemma 3.2 ([KWW09]) Consider an arbitrary ccq-state Pxtq, and let e,e' > be arbitrary. 
Let T : B(Hq) — > B(T~lQ out ) be an arbitrary CPTP map. Then, 

R^(X\TF(Q)) >-logP^ cc (LHL in (X|T)-logij) . 
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Figure 1: (from [WCSL10]): During waiting times At, the adversary must use his noisy quantum 
storage described by the CPTP map T . Before using his quantum storage, he performs any (error- 
free) "encoding attack" of his choosing, which consists of a measurement or an encoding into an 
error-correcting code. After time At, he receives some additional information that he can use for 
decoding. 

We are interested in channels M which satisfy the following strong- converse property: The 
success probability Q12|) decays exponentially for rates R above the capacity, i.e., it takes the form 

Pf u T{nR) < 2- n ^ {R) where 7 jV '{R) > for all R > C N . (13) 

In [KW09] . property (|13p was shown to hold for a large class of channels. An important example 
for which we obtain security is the d-dimensional depolarizing channel M r : B(C d ) — > B(C d ) defined 
for d > 2 as 

N r (p) := rp + (1 — r)— for some fixed < r < 1 , (14) 

which replaces the input state p with the completely mixed state with probability 1 — r. For d = 2, 
having storage channel M® n means that the adversary can store n qubits which are affected by 
independent and identically distributed noise. To see for which values of r we can obtain security, 
we need to consider the classical capacity of the depolarizing channel as evaluated by King |Kin03j . 
For d = 2, i.e., qubits, it is given by 

1 + 7- 1 + r 1 — r, 1 — r 

Cm, = i + — log — + — log — . 

4 1-2 Oblivious Transfer 

4.1 Security Definition and Protocol 

In this section we prove the security of a randomized version of 1-2 OT (Theorem I4.2p from which 
we can easily obtain 1-2 OT. In such a randomized 1-2 OT protocol, Alice does not input two strings 
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herself, but instead receives two strings So, Si G {0, l} e chosen uniformly at random. Randomized 
OT (ROT) can easily be converted into OT. After the ROT protocol is completed, Alice uses her 
strings 5*0, Si obtained from ROT as one-time pads to encrypt her original inputs So and Si, i.e. she 
sends an additional classical message consisting of So ©So and Si ©Si to Bob. Bob can retrieve the 
message of his choice by computing Sc © (Sc © Sc) = Sc- He stays completely ignorant about the 
other message Sl-^ since he is ignorant about Sq. The security of a quantum protocol implementing 
ROT is formally defined in |DFR + 07] and justified in [FS09] (see also [WW08] ). 

Definition 4.1 An e-secure 1-2 ROT 6 is a protocol between Alice and Bob, where Bob has input 
C G {0, 1}, and Alice has no input. 

• (Correctness) If both parties are honest, then for any distribution of Bob's input C, Alice gets 
outputs So, Si G {0, 1} which are e-close to uniform and independent of C and Bob learns 
Y = Sc except with probability e. 

• (Security against dishonest Alice) If Bob is honest and obtains output Y , then for any cheating 
strategy of Alice resulting in her state pa, there exist random variables S' and S[ such that 
Pr[Y = S'q] > 1 — e and C is independent o/S 0? Sj and pj§. 

• (Security against dishonest Bob) If Alice is honest, then for any cheating strategy of Bob 
resulting in his state pb, there exists a random variable D G {0, 1} such that d(Sjy\Si)DpB) < 

£. 

We consider the same protocol for ROT as in |BBCS91llD~FL+09j . 

Protocol 1 r |BBCS91LlDFL+09p 1-2 ROT 1 

1. Alice picks x G_r {0, l} n and 9 G_r {+, x}". At time t = 0, she sends \x\) e , . . . , \x n ) e to 
Bob. 

2. Bob picks 9 G_r {+, x}™ at random and measures the ith qubit in the basis 9{. He obtains 
outcome x G {0, l} n . 

Both parties wait time At. 

3. Alice sends the basis information 9 = B\, ■ ■ ■ , 9 n to Bob. 

4- Bob, holding choice bit c, forms the sets I c = {i G [n] \ 9{ = 9{\ and Xi_ c = {i G [n] \ 9{ ^ 9i}. 
He sends Io,I\ to Alice. 

5. Alice picks two hash functions fo, fi Gr T , where T is a class of two-universal hash functions. 
She sends /o,/i to Bob. Alice outputs so = fo( x \x ) an d s i = /l(^|zi)ll- 

6. Bob outputs s c = f c ( x \xc)- 

8 Existence of the random variables S' , S[ has to be understood as follows: given the cq-state pYA of honest Bob 
and dishonest Alice, there exists a cccq-state Pys'qS^a such that tracing out the registers of So, S[ yields the original 
state pYA and the stated properties hold. 

9 If x\x h is less than n bits long Alice pads the string x\x b with 0's to get an n bit-string in order to apply the hash 
function to n bits. 
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4.2 Security Analysis 

Correctness First of all, note that it is clear that the protocol fulfills its task correctly. Bob 
can determine the string x\x c (except with negligible probability 2~ n the set T c is non-empty) and 
hence obtains s c . Alice's outputs sq, s± are perfectly independent of each other and of c. 



Security against Dishonest Alice Security holds in the same way as shown in [D FR + 07 . Alice 



cannot learn anything about Bob's choice bit from the index information Tq,T\ she receives, and 
Alice's input strings can be extracted by letting her interact with an unbounded receiver. 

Security against Dishonest Bob Proving that the protocol is secure against Bob requires 
more work. Our goal is to show that there exists a I? € {0, 1} such that Bob with noisy storage as 
described in Section[3]is completely ignorant about Sjy. Since we are performing l-out-of-2 oblivious 
transfer of £-bit strings, I corresponds to the "amount" of oblivious transfer we can perform for a 
given security parameter e and number of qubits n. 

Theorem 4.2 Fix < 5 < \ and let 

e = 2exp( -r— - • n\ . (15) 

P { 32(2 + log |)2 J 1 > 

Then, for any attack of a dishonest Bob with storage J- : B(T-Li n ) B(Hout)> Protocol{l\is 2e-secure 
against a dishonest receiver Bob according to Definition^. 1\ if n>A/5 and 



t < ~\ \o&PLc ((\- 6 ) n )- lQ g (~ 

Proof. We need to show the existence of a binary random variable D such that is e-close to 
uniform from Bob's point of view. 

We can argue as in the proof of the security of weak string erasure for honest Alice (Section 3.3 
in [KWWOflp that 

where K denotes Bob's classical information obtained from the encoding attack. Classical min- 
entropy splitting (Lemma 12. ip then ensures that there exists a binary random variable D € {0, 1} 
such that 

h^wmO^-t- 1 - 

One can now continue to argue as in the proof of Theorem 3.3 in [KWW09J, i.e. we use 
Lemma [3721 to get 

H e min (XnlD&KQout) > - log P^f^-^-l- log -\ > - log P^ c ((±-s\nY 



where the last step follows in the same way as in [KWW09J from the monotinicity of the success 



probability P^ ucc {m) < P^ ucc {m!) for m > m' and the fact that log | < |n < ^fn — 1. 
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The rest of the security proof is analogous to the proof in DFR + 07 : It follows from the chain 
rule for smooth min-entropy (jl]) that 

H^ in {X^DQSoKQout) > H^ n [X^Sd^QEQ^) - I 

>-lo g Pf ucc f(^-5\ n\ -I. 

The privacy amplification Theorem 12.41 yields 

d(%t%) | DQF D S D KQ out ) < 2 -^^P^ c ((^s)n)-2i) + £ (16) 
which is smaller than 2e as long as 

-IlogpWQ-^ n) -^>log 
from which our claim follows. □ 



4.3 Tensor-product channels 

Corollary 4.3 Let Bob's storage be described by T = J\f® vn with v > 0, where N satisfies the 
strong- converse property (|13p . and 

CV • i/ < - . 

Fix 5 G]0, \ — Cj^ ■ v[, and let e be defined as in (|18p . Then, for any attack of a dishonest Bob, 
Protocol{l\ is 2e-secure against a dishonest receiver Bob according to Definition ^. 1\ if n > 4/5 and 




Proof. We can substitute n by vn and -R by Rjv in the strong-converse property (|13p to obtain 

--logP^ c m (nR)>u.^(R/u). 
n 

The claim then follows from Theorem 14.21 by setting R := I — 8. □ 
For the <i-dimensional depolarizing channel 

M r {p) = rp+{l-r)- (17) 
a 

which preserves a d-dimensional input state with probability r and depolarizes it completely with 
probability 1 — r, it has been shown in [KW091 IKWW09] that 

^ = T? ^ { R ~ "*<' + rb"* ((*' + i 7 r )° + (<i " l) (W)) ■ 
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Figure 2: Possible regions of a depolarizing qubit channel with noise parameter r and storage rate v 
where security for OT can be established for asymptotically many pulses. The [KWW09J -approach 
yields the blue region, whereas our simpler approach gives the red subset of it. 



We compare the parameters in terms of OT- and error-rate of our approach to the ones 
in [KWW09]. In Figure [21 the regions of the noise-parameter r and storage-rate v from our 
approach (red) and the [KWW09J -approach (blue) are shown. As the information rate after min- 
entropy splitting in our approach is lower than without min-entropy splitting, the range of noisy 
storage channels for which security can theoretically be shown is smaller in our approach. However, 
we will see in the following that the error overhead due to the complicated post-processing with 
interactive hashing in [KWW09] nullifies that advantage again. 

We investigate two scenarios, in both of which we are ready to accept a security error of at 
most 10~ 8 . In the first scenario, we are given n = 10 10 pulses to work with against an adversary 
with depolarizing qubit channel {d = 2) with noise rate r and storage rate v = 1. In our approach, 
according to Corollary 14.31 the security error is 2e where e is defined in (|18p . thus for n = 10 10 , we 
can choose 5 = 0.0106 to have the error small enough. The resulting OT-rate Ijn is the red line 
in Figure [3] for different noise rates r and a storage rate of v = 1. In the approach of [KWW09], 
the security error is harder to control as it also depends on other parameters such as the noise rate 
r and a new parameter uj. In order to keep it below the required 10 -8 , we choose 5 = 0.011 and 
u = 2. The resulting OT-rate is plotted as blue dashed line in Figure El Note that this amount of 
pulses are not sufficient to keep the security error below 10~ 8 for noise rates r above 0.21. 

In Figure HI we investigate the same setting but with many more pulses, namely n = 10 15 . 
With that many pulses, the error is better to control in the [KWW09j-approach and leads to higher 
OT-rates compared to our approach for noise parameters between 0.34 < r < 0.52. In all other 
cases, our simpler approach allows to get OT of longer strings while keeping the security error 
below 10" 8 . 
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Figure 3: The adversary's storage is depo- 
larizing qubit noise J- = N® n with d = 
2, v = 1, and n = 10 10 . The horizon- 
tal axis represents the noise parameter r, 
while the vertical axis represents the OT- 
rate ijn. The rates are only plotted for re- 
gions where the security error stays below 
10~ 8 . The red line represents the OT-rate 
obtained from our approach (Corollary 14.31 
with 5 = 0.0106). The dashed blue line is 
the rate from the [KWW09]-approach with 
optimised extra parameters 5 = 0.011 and 
u = 2. For r > 0.21, the security error is 
above the allowed threshold 10 -8 . For this 
many pulses, our approach provides a higher 
OT-rate for all possible noise parameters r 
while keeping the security error reasonably 
low. 
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Figure 4: As in Figure [3l but for many more 
pulses, namely n = 10 15 . The red line rep- 
resents the OT-rate obtained from our ap- 
proach (Corollary Owith 5 = 0.000057588). 
The dashed blue line is the rate from the 
[KWW09]-approach with optimised extra 
parameters 5 = 0.0005 and uj = 10. For 
r > 0.47, the security error is above the al- 
lowed threshold 10~ 8 . For noise parameters 
between 0.34 < r < 0.52, the |KWW09| - 
approach yields higher OT-rates. For all 
other noise rates r, our simpler approach 
yields higher rates. 



To put these numbers of pulses into perspective, one can think of a weak-coherent pulse setup 
which runs at 1GHz and emits a single photons with Poisson distribution with parameter fj, = 1, 
i.e. with probability ?» 0.3679 per pulse. Hence, we have to wait approximately 27 seconds 

to obtain n = 10 10 single pulses, whereas it takes 10 6 • e seconds, i.e. roughly 30 days to generate 
n = 10 15 single pulses. 

5 Robust Oblivious Transfer 

In a practical setting, imperfections in Alice's and Bob's apparatus as well as in the communication 
channel manifest themselves in form of erasures and bit-flip errors. This setting has been analyzed 
for individual attacks in [STW09 j and for general attacks in [WCSLIO] . In the following, we present 
an upgraded protocol for oblivious transfer along the lines of [WCSL10] but with a much simpler 
and natural post-processing. 

5.1 Protocol 

We consider the same setup as in [WCSLIO] . Before engaging in the actual protocol, Alice and 
Bob agree on a security-error probability e > 0. The parameter no click denotes the probability 
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that an honest Bob observes no click in his detection apparatus and the corresponding parameter 
Cb no click sa y s now mucn fluctuations we allow. Typically, we use a £b no click °f or der y / ln(2/e)/(2n) 
such that the Chernoff bound allows us to argue that pg no click lies in the interval [(pg no click — 

Ce.no clickK (PB.no click + Cfl.no ciick) n ] exce Pt with probability e. 

Error-correction is done using a one-way (forward) error correction scheme, e.g. by using low- 
density parity-check (LDPC) codes. The players agree on a linear code which can correct errors in 
a fc-bit string by announcing the syndrome of the string. If each bit of the string is flipped inde- 
pendently with probability Pg err , this procedure amounts to sending error-correcting information 
of at most 1.2 • h(p^ eII ) ■ k bits [ELAB09] . 

We assume that the players have synchronized clocks. In each time slot, Alice sends one qubit 
to Bob. 

Protocol 2 Robust 1-2 ROT*(C, T, e) 

1. Alice picks x £r {0, l} n and 9 {+, x} n uniformly at random. 

2. Bob picks 9 {+, x} n uniformly at random. 

3. For i = 1, . . . , n: In time slot t = i, Alice sends bit xi encoded in basis 9{ to Bob. 

In each time slot, Bob measures the incoming qubit in basis 6i and records whether he detects 
a photon or not. He obtains some bit-string x G {0, l} m with m < n. 

4- Bob reports back to Alice in which time slots he recorded a click. 

5. Alice restricts herself to the set of to < n bits that Bob did not report as missing. Let this 
set of qubits be SVemain with [SVemainl = TU. If m does not lie in the interval [(1 — pg no click — 

CB.no clickK (1 -PB,no click + Cfi.no click) n L then Alice aborts the protocol. 

Both parties wait time At. 

6. Alice sends the basis information = 9±, . . . , 9 m of the remaining positions to Bob. 

7. Bob, holding choice bit c, forms the sets X c = {i £ [to] | 9$ = 9i} and 2i_ c = {i G [to] | 9i ^ 
9i}. He sends Tq,X\ to Alice. 

8. Alice picks two two-universal hash functions /o,/i G_r J 7 and sends fo,fi and the syndromes 
syn(x\i ) and syn(x\x 1 ) to Bob. Alice outputs sq = fo(x\x ) and s\ = /i(x|xi)- 

9. Bob uses syn(x\x c ) to correct the errors on his output x\x c - He obtains the corrected bit-string 
x cor and outputs s' c = f c (x C or)- 

5.2 Security Analysis 

Correctness If both players are honest, Bob reports back enough rounds to Alice. Therefore, in 
Step [5] the protocol is aborted with probability at most e. The error-correcting codes are chosen 
such that Bob can decode except with probability e. These facts imply that if both parties are 
honest, the protocol is correct except with probability 2e. 
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Security against Dishonest Alice Even though in this scenario Bob does communicate to 
Alice, the information about which qubits were erased is independent of Bob's choice bit c as this 
bit is only used in Step Hence Alice does not learn anything about his choice bit c. Her input 
strings can be extracted as in the analysis of Protocol EJ 



Security against Dishonest Bob In the previous Section HI we have seen that the security 
analysis for weak string erasure from [KWW09J essentially carries over to 1-2 oblivious transfer. 
Similarly, the security analysis for weak string erasure with errors from [WCSL10] can be adapted 
to analyse Protocol [TJ 

We will use the following probabilities: (see [WCSL10] for details and some example parameters 
for concrete setups) 



£*B,no click 


dishonest Bob observes no click in his detection apparatus 
(due to imperfections in Alice's apparatus) 


£*B,no click 


honest Bob observes no click in his detection apparatus 
(due to losses and imperfections of both player's apparatus) 


Psent 


Alice sends exactly 1 photon. 


Pb, en- 


honest Bob outputs the wrong bit 

(due to misalignments and noise on the channel) 



Theorem 5.1 (Security against dishonest Bob) Fix < 5 < \ and let 

(<5/4) 2 ^ 



e = 2 exp 



32(2 + log |) 2 



• TO 



(18) 



Then, for any attack of a dishonest Bob with storage T : £>(%.„) — > B(l-L ou t), Protocol^ is 2e- 
secure against a dishonest receiver Bob according to Definition ^. 1\ if m > 4/<5 and the length of 
the OT-strings 



< — log P; 
- 2 



succ 



5 I TO 1 



1.2 ■ h(p* >eTT ) ■ | - log (\ 



where m 1 : = (pl ent - 
maining and to = (1 



Pb no click + Pb no click) 71 * s ^ e m inimal number of single-photon rounds re- 



Pb ,no click 



)n is the total number of rounds remaining. 



Proof. As in [WCSL10J, we adopt the conservative viewpoint that a dishonest Bob does not 
experience any bit-errors nor losses on the channel. Furthermore, we assume that a dishonest 
receiver can detect when multiple photons arrive and extract the encoded bit without knowledge 
of the encoding basis. These multi-photon rounds will thus not contribute to the uncertainty of a 
dishonest Bob. He will also not keep any quantum information about these bits. 

The main complication in this more practical scenario is that a dishonest Bob might falsely 
report back rounds as missing in order to decrease the overall fraction of single-photon rounds 
where he has uncertainty about the encoded bits. 

Let p\ 

,no click k e probability that honest Bob does not register a click (due to losses in 
the channel and imperfect apparatus of both players). On the other hand, let no click be the 
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probability that a dishonest Bob does not register a click (due to imperfections in Alice's apparatus). 
We assume that a dishonest Bob will always report a round as missing if he did not register a 
click (because there is no advantage for him not doing so). We also assumed that Bob gets full 
information when more than one photon was sent and hence, he will not report these rounds as 
missing. We conclude that out of the n rounds, dishonest Bob will report the maximal amount 
°f (.Pb no click ~~ Pb no click ) n single-photon rounds as missing. That means that of the total m = 
no click) 72 roun ds that Alice accepts, at least 

ml := (Psent ~~ (PB,no click ~~ PB,no click)) n (19) 

are single-photon rounds. 

It can be argued as in [WCSL10] that these m 1 single-photon rounds are the (only) ones con- 
tributing to the uncertainty in terms of min-entropy about the string X. Formally, we have 

H^^ieA')^-^. (20) 

where Xq,Xi are the sub-strings of X formed according to the index sets 1q and I\, < 8 < j is 
fixed and the error parameter e is 

£ = 2expf- -mf .rrA . (21) 
l \ 32(2 + log |)2 J 

Proceeding as in the proof of Protocol [1] (with m 1 instead of n), classical min-entropy splitting 
(Lemma 12. ip then ensures that there exists a binary random variable D £ {0, 1} such that 

Then, we use Lemma 13.21 to get 

(X^DOKQ^) > - log Pf ucc - ^ - 1 - log -\ > - log Pf ucc ((\-s) ™ X ) , 

where the last step follows in the same way as in [KWW09] from the monotinicity of the success 
probability P^ cc (k) < P[ ucc {k') for k > k' and the fact that log f < f m 1 < ^m 1 - 1. 

Additionally, the dishonest receiver learns the two syndromes Syn(Xo), Syn{Xi). As Xq and 
X\ are not necessarily independent from dishonest Bob's point of view, the two syndromes reduce 
Bob's min-entropy about Xjy by at most 1.2 • h(p^ IT ) ■ m bits of information. 

It follows from the chain rule for smooth min-entropy that 

H^ in (X 7y \DeS D Syn(X )Syn(X 1 )KQ out ) > R £ min (Xjy\D@KQ out ) - £ - 1.2 • h{p h m ) ■ m 

> - logPf ucc - s\ m l ^j-£- 1.2 • h{p h m ) ■ m. 

The privacy amplification Theorem 12.41 yields 

d(Fp(Xp) | DQF D S D KQ out ) < 2-|(- lo g^ cc ((|-5) m 1 )-2^i.2./ l ( P J rr ). m ) + £ ^ 
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which is smaller than 2e as long as 



~\ log PLc (Y~ " A m 1 ) - I - 1.2 • %£ rr ) • y > log (j) . 
from which our claim follows. □ 



In the same way as Corollary 14.31 we can derive 

Corollary 5.2 Let Bob's storage be given by T = J\f® vn for a storage rate v > 0, M satisfying the 
strong converse property f 1 1 3 [) and having capacity C_\f bounded by 



Cm-v < (j - Sj (j>l ent - PB ino click + pi 



no click/ 



(23) 



Then Protocol^ is 2e-secure against a dishonest receiver Bob according to Definition ^. 1\ with the 
following parameters: Let 5 e]0, \ — CV • v\ and m 1 > 4/5. Then the length £ of the OT-strings is 
bounded by 

l<* v .^(Zy n - 1.2 • h(p h Bfirr ) • (1 - p| ierr )| - log Q , (24) 

where 7^ is the strong converse parameter of M (see (|13p ) and 

m = (1 — no c i ick ) n (the number of remaining rounds) , 

ml = (Psent — Pb no click + Pb no click) 71- (^ e minimal number of single-photon rounds) , 

R = (| — (5) — (the rate at which dishonest Bob has to send information 

through storage) , 
for sufficiently large n. The error has the form 

e{5)<2 exp ( - 512 ( 4 ^ log i) 2 ■ bsent - Pb,™ click + Pb,™ click)" j • ( 25 ) 



6 Password-Based Identification 

In this section, we show how the techniques for proving security in the noisy-quantum-storage model 
also apply to the protocol from [DFSS07, DFSS10] achieving secure password-based identification 
in the bounded-quantum-storage model. This answers an open question posed in [KWW09]. 



6.1 Task and Protocol 

A user Alice wants to identify herself to a server Bob by means of a personal identification number 
(PIN). This task can be achieved by securely evaluating the equality function on the player's 
inputs: Both Alice and Bob input passwords wa and wb from a set of possible passwords W into 
the protocol and Bob learns as output whether wa = wb or not. 

The protocol proposed in [DFSS07] is secure against an unbounded user Alice and a quantum- 
memory bounded server Bob in the sense that it is guaranteed that if a dishonest player starts with 
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quantum side information which is uncorrelated with the honest player's password w, this dishonest 
player is restricted to guess a possible w' and find out whether uu = w' or not while not learning 
anything more than this mere bit of information about the honest user's password w. Formally, 
security is defined as follows. 

Definition 6.1 We call an identification protocol between user Alice and server Bob secure for the 
user Alice with error e against (dishonest) server Bob B' if the following is satisfied: whenever the 
initial state of B' is independent ofW, the joint state pwe b , after the execution of the protocol is 
such that there exists a random variable W that is independent of W and such that 

PWW'E B ,\W'^W ~e PW^W'^E B ,\W'+W- 

The Markov-chain notation is explained in (p}. 

We consider the same protocol for password-based secure identification from [DFSS07], in the 
more practical form presented in [DFL + 09] . where the receiving party measures in a random basis. 
Let c : W — > {+, x } n be the encoding function of a binary code of length n with m = |W| codewords 
and minimal distance d. c can be chosen such that n is linear in log(m) or larger, and d is linear 
in n. Furthermore, let T and Q be strongly two-universal classes of hash functions from {0, l} n to 
{0, lY and from W to {0, 1}^, respectively, for some parameter i. 

Protocol 3 ( |DFSS07|, lDFL+09] ^ Password-based identification Q-ID (w): 

1. Alice picks x £r {0, 1}™ and 9 G_r {+, x} n . At time t = 0, she sends \xi) g , . . . , \x n ) d to 
Bob. 

2. Bob picks 9 {+, x}" at random and measures the ith qubit in basis 9{. He obtains outcome 
x G {0, l} n . 

Both parties wait time At. 

3. Bob computes a string k € {+, x} n such that 9 = t(w) © k (interpreting + as and x as 1 so 
that © makes sense). He sends k to Alice and they define the shifted code c'(w) := c(w) © k. 

4- Alice sends 9 and f G/j J- to Bob. Both compute I w := {i : 9{ = c'(w)i}. 

5. Bob sends g G_r Q to Alice. 

6. Alice sends z := f(x\x w ) © g{w) to Bob. 

7. Bob accepts if and only if z = f(x\x w ) © g{w). 

We note that this protocol can also be (non-trivially) extended to additionally withstand man- 
in-the-middle attacks [DFSS071 iDFSSlOj . 

6.2 Security Analysis 

Theorem 6.2 (Security against dishonest Bob) Fix < 5 < | and let a(5) be defined as 
in m\). Then, for any attack of a dishonest Bob with storage channel T : B(Hi n ) — > B(H ou t), 
Protocol^ is an e-secure identification protocol against a dishonest receiver Bob according to Defi- 
nition \6.1[ if d> 4+4 ^s^) an d 

£ = 2-^- lo Z p ^cc{(jS)d)-e) + 2 -(o-(<5/4)d-log(m)-3) _ 
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To understand what the result on e means, note that using a family of asymptotically good 
codes, we can assume that d grows linearly with the main security parameter n, while still allowing 
m (the number of passwords) to be exponential in n. So we may choose the parameters such 
that ^, log ^ m ) ; and ^ are all constants. The result above now says that e is exponentially small 
as a function of n if these constants and the noisy channel T fulfill that for some < 8 < 4, 

lo g p SM cc((i s ) d ) _ | > o anc [ a ^l^A — log ^ m ) > 0. See Theorem 16.41 for a choice of parameters 
that also takes server security into account. 
Proof. 

We use upper case letters W, X, 0, K, F, G and Z for the random variables that describe the 
respective values w, x, 9 etc. in an execution of Q-ID. 

Recall that in the noisy-storage model, we denote by K the classical outcome of Bob's encoding 
attack and Qi n denotes Bob's quantum state right before the waiting time. 

We write Xj = X\%. for any j. Note that dishonest Bob starts without any knowledge about 
honest Alice's password W and hence, W is independent of X, 0, K, F, G and Q, m . 

For 1 < i ^ j < m, fix the value of X, and correspondingly of X{ and Xj, at the positions 
where c(z) and c(j) coincide, and focus on the remaining (at least) d positions. The uncertainty 
relation (Theorem I2.3[) implies that the restriction of X to these positions has (^ — 5/2)d bits of 
e'-smooth min-entropy given 0, where e' < 2 _ °"( 5 / 4 ) d . Since every bit in the restricted X appears 
in one of Xi and Xj, the pair X{, Xj also has (^ — 5/2)d bits of e'-smooth min-entropy given and 
K. The Entropy Splitting Lemma 12.21 implies that there exists W (called V in Lemma |2.2|) such 
that if W 7^ W then X\y has (| — 5/A)d — log(m) — 1 bits of 2me'-smooth min-entropy given W 
and W (and @,K), i.e., 

tftZ' (X w \WW'eK, W^W')>(j- 8/4)d - log(m) - 1 . 
By Lemma [221 it follows that for Q ou t = ^(Qin), we get 



tt { *™ +1)£ '(X w \WW'GKQ out ,W ± W) > -logPf ucc f f ± - 5/Aj d - log(m) - 1 - log(l/e'; 

> -log pL.J (^-s]d 



1 



where the last inequality follows as in the OT-case (proof of Theorem 14. 2p from log(l/e') < |d < 



^■d — log(m) — 1 and the assumption on d. 

Privacy amplification then guarantees that F(X\y) is e"-close to random and independent of 
F, W, W, 0, K and Q out , conditioned on W ± W, where e" = \ ■ 2-H- lo g p -4(i-< 5 ) d Hj + (2m + l)e' . 
It follows that Z = F(X W ) G(W) is e"-close to random and independent of F, G, W, W, 0, K 
and Qout, conditioned on W ^ W . The rest of the argument is the same as in the original 
proof [DFSSlOj . 

Formally, we want to upper bound the trace distance between Pwwe b ,\W'^w an d Pw^W'-^E B ,\w^w- 
Since the output state E& is, without loss of generality, obtained by applying some unitary trans- 
form to the set of registers [Z, F,G,W' ,0, K,Q out ), the distance above is equal to the distance 
between PwW'(z,F,G,e,K,Q out )\W'^W an d Pw^W'^(z,F,G,e,K,Q out )\W'jtw- We then get: 

PWW'(Z,F,G,e,Qout)\W'^W ^e^Z ® PwW'(F,G,B,K,Q out )\W'^W 

= ijztz <8> PW-^W'^{F,G,e,K,Q out )\W'^W PW-^W'^(Z,F,G,e,K,Q out )\W'^W i 
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where approximations follow from privacy amplification and the exact equality comes from the 
independency of W, which, when conditioned on W' 7^ W, translates to independency given W 1 . 
The claim follows with e = 2e" and the (crude) estimation 2(2m + 1) < 8m. □ 



Theorem 6.3 (Security against dishonest Alice [DFSS07]) // B. min (W) > 1, then Q-ID is 
secure against dishonest user Alice with security error e = m 2 /2 e . 

We call an identification scheme e-secure against impersonation attacks if the protocol is secure 
for both players with error at most e in both cases. The following holds: 

Theorem 6.4 7/H m ; n (W / ) > 1, then the identification scheme Q-ID (with suitable choice of param- 
eters) is e-secure against impersonation attacks for any unbounded user Alice and for any server 
Bob with noisy storage of the form T = J\[® vn with v > 0, where M satisfies the strong- converse 
property (fT3j) . and 

Cm ■ v < - , 

and the security error is 

£ _ 2~Ti^ M (^F^) l/ Mn-61og(m)-l) 2-(°"( 5 / 4 )^™~ lo g( m )- 4 ) 

for an arbitrary < 5 < \, and where ji = /i _1 (l — log(m)/n), and h~ 1 is the inverse function of 
the binary entropy function: h{p) := — p ■ log(p) — (1 — p) ■ log(l — p) restricted to < p < ^. In 

particular, i/log(m) is sublinear in n, then e is negligible in n as long as 7^ (^) > 0. 
Proof. First of all, we have that 



We choose t = ^ • 7^ S ) vd. Then security against dishonest Bob holds except with an 



error e = 2 37 v v ' +2 ( f7 ( <5 / 4 ) rf lo s( m ) 3 ), and security against dishonest Alice holds except 

with an error m 2 /2 e = 2 3 ( 7 ( " ^ vd 61og ( m )). Using a code c, which asymptotically meets the 
Gilbert- Varshamov bound |Tho83| . d may be chosen arbitrarily close to n ■ /i _1 (l — log(m)/n). In 
particular, we can ensure that d does not differ from this value by more than 1. Inserting d = [i-n— 1 
in the expressions and using that 7^ (^77^) v <1 yields the theorem. □ 



7 Conclusion 

We have used the technical tool from [KWW09] to prove the security of the original protocols for 
oblivious transfer and secure identification against adversaries performing general noisy-quantum- 
storage attacks. The main advantage of our protocols is the straightforward constant-round clas- 
sical post-processing which makes them easier to implement in the lab compared to the protocols 
from [KWW09, WCSL10]. Their security analysis yields simpler expressions for the security error. 
For a given number of pulses and a low security threshold, our approach generally yields higher 
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OT-rates. We show for the first time the security of a password-based identification protocol against 
general noisy-quantum-storage attacks. 

This work leads to the question whether a similar result as in QKD holds, namely that general 
storage attacks are no better than coherent (or individual) storage attacks for which the best 
encoding attack is known [STW09]. 
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